原始连接:
http://www.lurhq.com/cryzip.html
文章作者:LURHQ Threat Intelligence Group
URL
http://www.lurhq.com/cryzip.html
Release Date
March 11, 2006
Summary
In May 2005, a trojan called PGPcoder was discovered in the wild by Websense Security Labs. The trojan's purpose was to encrypt a user's files, then demand a ransom for their decryption. Although this scheme seemed novel, it is actually predated by over 15 years, by a similar scam in 1989. LURHQ's Threat Intelligence Group has now discovered a third such scheme involving ransomware which we are calling Cryzip.
Unlike PGPcoder, which used a custom encryption scheme (which was subsequently reverse-engineered by LURHQ), Cryzip uses a commercial zip library in order to store files inside a password-protected zip. Although the zip encryption is stronger, a brute-force attack is still possible on the files, especially if one has a copy of the original file inside the zip.
File Details
Filename: vcmauth.dll
Filesize: 1,191,936 bytes
MD5: 86a48836bced8c4a0b59fca972800890
SHA1: 0b3a49b3172fc65db607fcb1b8029820ec11c5b6
Packer: none
Compiler: Visual C++ 6.0
Compile Date: Thu Mar 2 18:11:02 2006
CME Number: none assigned
Identifying Strings:
zippo.dll
ZippoCrypt
_zippo_crypter_v1.0_
Analysis
When run, Cryzip searches the C: drive (except for files in directories named "system" or "system32") for files which it will zip, overwrite with the text "Erased by Zippo! GO OUT!!!", and then delete, leaving only the encrypted zip file with the name original-file-name_CRYPT_.ZIP, where original-file-name is the original file name complete with the file extension.
Cryzip searches for and zips files with the following extensions:
.arh
.asm
.arj
.bas
.cdr
.cgi
.chm
.cpp
.db1
.db2
.dbf
.dbt
.dbx
.doc
.dpr
.dsw
.frm
.frt
.frx
.gtd
.gzip
.jpg
.key
.kwm
.lst
.man
.mdb
.mmf
.old
.p12
.pas
.pak
.pdf
.pgp
.pwl
.pwm
.rar
.rtf
.safe
.tar
.txt
.xls
.xml
.zip
After it has finished processing a directory, Cryzip leaves a text file in the directory named AUTO_ZIP_REPORT.TXT, which contains the following text:
OUR E-GOLD ACCOUNT: XXXXXXX
INSTRUCTIONS HOW TO GET YUOR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.
This is automated report generated by auto archiving software.
Your computer catched our software while browsing illigal porn
pages, all your documents, text files, databases was archived
with long enought password.
You can not guess the password for your archived files - password
lenght is more then 10 symbols that makes all password recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).
Do not try to search for a program what encrypted your information - it
is simply do not exists in your hard disk anymore.
If you really care about documents and information in encrypted files
you can pay using electonic currency $300.
Reporting to police about a case will not help you, they do not know
password. Reporting somewhere about our e-gold account will not help
you to restore files. This is your only way to get yours files back.
------------------------------
How to pay to get your information back.
1. click on this link to open your free e-gold account - the first
screen is the e-gold "terms and conditions" page. You need to
agree to these by clicking on the "I AGREE" button on the bottom
on the page.
2. On the next page is the sign up form:
1. "Account name" - here is where you name your account - tip:
make it easy to remember (as you will be asked for it) and
reasonably short, example, "John's e-gold", "My Money e-gold"
or perhaps "Felix" (whatever you like, just make it easy for
you to remember it).
2. "User Name" - here just repeat the account name (from 1 above).
3. "Point of Contact" - this is where you put our name, address,
phone number and email address (any email address can be used
here but it is recommended you use your ISP address - not a
free hotmail, etc address).
It is also recommended your also include a fax number
(don't have a fax number? This company offers free fax to email
services). Try and make it as easy as possible for e-gold to contact
you.
4. "Passphrase" - this is the most important piece of information
connected to any e-gold account. We can not stress enough how
important it is that your passphrase is kept safe and secure.
5. "Turing Number Entry" - type the 6 numbers you see there into the
input
box below.
6. The last step click "Open"
On the next page it will tell you that your e-gold account number has been
emailed to you.
check your email - you can expect to wait up to 5 minutes for your account
number
to arrive. If it does not arrive after 5 minutes then that means the email
address
you supplied was incorrect and you will have to open another new account (go
through
and repeat what you just did above again).
To buy e-gold to your account please use official exchange services
http://www.me-gold.com/
http://www.goldex.net/
http://usece.com/
or try to search own way with
http://gold-pages.net/e-Gold__1M ... e_E-gold/index.html
http://www.google.com/search?hl= ... ;btnG=Google+Search
FINALLY when you bought e-gold you have to transfer $300 to our e-gold
account.
In next 24 hours you will recieve $1 back to your account. Transfer details
of this $1 transfer will have a link to software that will automatically
unzip all your files back to normal state.
Next day login to your account
https://www.e-gold.com/acct/login.html,
press History and press submit, you will see LINK TO UNZIP-software.
##########################################################################
Remember you are just $300 away from your files
##########################################################################
At the top of the AUTO_ZIP_REPORT.TXT file, the number of an E-Gold account is inserted. This number is picked at random from a list embedded in the DLL. By operating many accounts simultaneously, the trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others. The complete list of E-Gold accounts is:
2934363
2917501
2917505
2917510
2934369
2934376
2934380
2934382
2934383
2934389
2934392
2934394
2934396
2934404
2934409
2934419
2934421
2934425
2934427
2897227
2934430
2897191
2897193
2934435
2897209
2897212
2934441
2897232
2934446
2934448
2897243
2897258
2934452
2897021
2917497
2934354
2934356
2917500
2897263
2934455
2934459
2934466
2934469
2934477
2934491
2934501
2934506
2934510
2934515
2934474
2934782
2934788
2934799
2934806
2934814
2934816
2934820
2934825
2934829
2934832
2934837
2934841
2934849
2934853
2934860
2934862
2934866
2934872
2934869
2934885
2934880
2934891
2934895
2934898
2934903
2934925
2934929
2934938
2934948
2934953
2934956
2934964
2934480
2934487
2934775
2934802
2934811
2934864
2935277
2935274
2935268
2935264
2935260
2935252
2935244
2935235
2935232
2935229
2935223
The text of the AUTO_ZIP_REPORT.TXT file is encrypted inside the Cryzip DLL, using simple XOR (0x13) encoding. The password used to zip the files is also embedded inside the DLL but it is not encrypted - instead, the author decided to hide the password in plain sight, so to speak. The password is:
C:\Program Files\Microsoft Visual Studio\VC98
Because this string often appears inside projects compiled with Visual C++ 6, the author likely figured anyone who found the infecting DLL and examined its strings looking for the password would simply overlook it.
Conclusion
At this time the infection vector is unknown. Infection reports are not widespread, so it is not believed this is a mass threat by any means. Malware of this nature is actually more successful when it is delivered in low volumes, as it is less likely that anti-virus vendors will have detection for it, and more attention means the likely closing of the accounts used for the anonymous money transfer. As such, most users will probably not have to worry about this threat - keep in mind however that the two incidents in the last 10 months indicate the possible start of a trend of this type of malware, and future incidents may affect a wider swath of users. However, in most cases, simply having and using proper backup software would mitigate the risk from ransomware.
About LURHQ Corporation
LURHQ is the leading provider of Threat and Vulnerability Management services. LURHQ empowers security professionals at enterprise clients by partnering with them to provide the Consulting and Managed Security Services necessary to better align their security efforts with business risk. The result is the development of a strategic Threat and Vulnerability Management process that delivers an enhanced security posture, greater security operations efficiency, improved compliance and reduced security program costs. For more information visit
http://www.lurhq.com.
Copyright (c) 2006 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail
advisories@lurhq.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Feedback
Updates and/or comments to:
LURHQ Corporation
http://www.lurhq.com/
advisories@lurhq.com
